Last updated: June 4, 2026
1. Introduction, purpose and definitions
2. Rights and obligations of the data controller
The Data Controller is responsible for ensuring that the processing of Personal Data is carried out in accordance with the GDPR (cf. GDPR Article 24), including applicable national data protection legislation and this Data Processing Agreement.
The Data Controller has the right and duty to make decisions regarding the purposes and means to be used for the processing of Personal Data.
The Data Controller shall be responsible for ensuring that the Data Processor has sufficient instructions and information at all times to fulfill its obligations under the Data Processing Agreement and data protection regulations.
The Data Controller shall inform the affected data subjects of the processing activities that the Data Processor will perform on behalf of the Data Controller under this Data Processing Agreement.
The Data Controller shall implement appropriate technical and organizational measures to ensure and demonstrate compliance with the GDPR.
The Data Controller shall notify any personal data breaches to the relevant authorities and, if necessary, the data subjects without undue delay in accordance with applicable law.
3. Instructions from the data controller
The Data Processor shall only process Personal Data in accordance with documented instructions from the Data Controller, unless otherwise required by EU or national legislation to which the Data Processor is subject. The Agreement (cf. definition in section 1 of the Supplier's Terms of Use) constitutes the instructions as of the date of entering into this Data Processing Agreement. Instructions may also have been given after the time of entering into the Agreement and the Data Processing Agreement. The Data Processor must at all times be able to document such instructions.
Unless otherwise specified in the Data Processing Agreement, the Data Processor may use all relevant technical means (including IT systems and software) to fulfill the obligations incumbent upon the Data Processor.
If the Data Processor is of the opinion that an instruction from the Data Controller is in conflict with the data protection regulations, the Data Processor shall immediately notify the Data Controller of this opinion.
4. Confidentiality
The Data Processor shall ensure that employees and others who have access to Personal Data are authorized to process such Personal Data on behalf of the Data Processor. If such authorization expires or is withdrawn, access to the Personal Data shall cease without undue delay.
The Data Processor shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This provision also applies after the termination of the Data Processor Agreement. The Data Processor shall, upon request from the Data Controller, be able to document the same.
5. Security of Processing
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Controller and the Processor shall consider implementing one or more of the following technical and organisational measures:
pseudonymisation and encryption of Personal Data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Pursuant to GDPR Article 32, the Processor shall also – independently of the Controller – evaluate the risks to the rights and freedoms of natural persons in connection with the processing, and implement measures to mitigate these risks. For this purpose, the Controller shall provide the Processor with all information necessary to identify and evaluate such risks.
Furthermore, the Processor shall assist the Controller in ensuring compliance with the Controller's obligations pursuant to GDPR Article 32, by, among other things, providing the Controller with information regarding the technical and organisational measures implemented by the Processor pursuant to GDPR Article 32 along with other information that is necessary for the Controller to have access to in order to comply with the Controller's obligations pursuant to GDPR Article 32.
Additional security measures will be implemented by the Processor, in accordance with the Processor's security policy.
6. Use of sub-processors
The processor shall meet the requirements of GDPR Article 28 (2) and (4) in order to engage another processor (a Sub-processor).
At the time of entering into the Data Processor Agreement, the Processor has the Controller's general authorization to engage Sub-processors. The Processor shall inform the Controller in writing of any intended changes concerning the addition or replacement of Sub-processors at least fourteen (14) days in advance, thereby giving the Controller the opportunity to object to such changes before the Sub-processor in question is engaged. Approved Sub-processors at the inception of the Data Processor Agreement are specified in Exhibit B of the Data Processor Agreement.
Sub-processors shall be made aware of the Processor's obligations under this Data Processor Agreement and the regulations governing the processing of the Controller's Personal Data, and shall be bound by the same obligations with respect to the protection of Personal Data as set out in this Data Processor Agreement, whereby the Sub-processor shall provide sufficient guarantees that technical and organizational measures will be implemented to ensure that the processing meets statutory requirements. The Processor shall remain fully liable to the Controller for the performance of the Sub-processor's obligations under its contract with the Processor. The Processor shall notify the Controller of any deficiencies in the Sub-processor's fulfillment of its contractual obligations.
The Controller also has the right, upon written request, to receive copies of the relevant terms of the Processor's agreement with Sub-processors who are to process personal data on behalf of the Controller, subject to such limitations as may follow from law or regulation. Purely commercial terms may under no circumstances be required to be disclosed.
The Processor shall enter into a third-party beneficiary clause with the Sub-processor, so that – in the event the Processor has factually disappeared, ceased to exist in law, or has become insolvent – the Controller shall have the right to terminate the contract with the Sub-processor and instruct the Sub-processor to delete or return the Personal Data.
7. Transfer of personal data to third countries or international organizations
Any transfer of Personal Data to Third Countries or International Organizations shall only take place on the basis of documented instructions from the Controller and shall always take place in accordance with GDPR Chapter V.
In the event of transfers to Third Countries or International Organizations, which the Processor has not been instructed to perform by the Controller, are required under EU or national legislation to which the Processor is subject, the Processor shall inform the Controller of the legal basis prior to the transfer taking place, unless the law prohibits this on important grounds of public interest.
The Controller's instructions regarding the transfer of Personal Data to a Third Country including, if applicable, the basis of transfer under GDPR Chapter V on which the transfer is based, shall be set forth in Appendix B.1.
This Data Processor Agreement shall not be confused with standard data protection clauses pursuant to GDPR Article 46 (2) (c) and (d), and this Data Processor Agreement cannot be considered a transfer basis under GDPR Chapter V.
8. Assistance to the data controller
Taking into account the nature of the processing, the Data Processor shall assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller's obligations to respond to requests for exercising the data subject's rights laid down in GDPR Chapter III.
This means that the Data Processor, insofar as this is possible, shall assist the Data Controller in the Data Controller's compliance with:
the right to be informed when Personal Data are collected from the data subject
the right to be informed when Personal Data have not been obtained from the data subject
the data subject's right of access
the right to rectification
the right to erasure ("the right to be forgotten")
the right to restriction of processing
the notification obligation regarding rectification or erasure of Personal Data or restriction of processing
the right to data portability
the right to object
the right not to be subject to a decision based solely on automated processing, including profiling
In addition to the Data Processor's obligation to assist the Data Controller under section 5, the Data Processor shall further, taking into account the nature of processing and the information available to the Data Processor, assist the Data Controller in ensuring compliance with:
The Data Controller's obligation to, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons;
The Data Controller's obligation to, without undue delay, communicate the personal data breach to the data subject when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons;
The Data Controller's obligation to carry out data protection impact assessments;
The Data Controller's obligation to consult the competent supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the Data Controller to mitigate the risk.
The Data Controller's obligation to ensure that the Personal Data are accurate and kept up to date, by informing the Data Controller without undue delay if the Data Processor becomes aware that the Personal Data being processed are inaccurate or outdated.
9. Notification of Personal Data Breach
In the event of a personal data breach, the Processor shall, without undue delay after becoming aware of it, notify the Controller of the personal data breach.
The Processor's notification to the Controller shall, if possible, take place no later than 48 hours after the Processor has become aware of the personal data breach, in order to facilitate the Controller's compliance with the Controller's obligation to report the personal data breach to the competent supervisory authority, cf. GDPR Article 33.
In accordance with clause 8, the Processor shall assist the Controller in notifying the competent supervisory authority of a personal data breach, which means that the Processor is required to assist in obtaining the information described below, in accordance with Article GDPR 33 (3):
a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
the name and contact details of the data protection officer or other contact point where more information can be obtained;
describe the likely consequences of the personal data breach;
describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
If all information cannot be provided in the first notification, the information shall be provided successively without undue delay as soon as it becomes available.
10. Deletion and return of personal data
The Parties agree that upon termination of the Agreement (cf. Section 3 of the Supplier's Terms of Use), this Data Processing Agreement will also be deemed terminated.
Upon termination of the Agreement, the Data Processor is obliged to return all Personal Data to the Controller and delete existing copies after the agreement with the Controller terminates, unless the Parties agree otherwise, and unless EU or national legislation requires storage of the Personal Data.
For the avoidance of doubt, nothing in this Data Processing Agreement shall oblige the Data Processor to delete copies of Personal Data that it holds on its own behalf as a Controller (if any). Furthermore, nothing in this Data Processing Agreement shall oblige the Data Processor to delete data that is not Personal Data (either directly or indirectly) such as, but not limited to, sufficiently aggregated and/or sufficiently anonymised statistical data regarding the Controller's use and the Controller's end users' use of the cloud-based accounting system Catacloud offered under the Agreement.
11. Audit and inspection
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and this Data Processing Agreement, and contribute to audits, including inspections, conducted by the Controller themselves or by an auditor commissioned by the Controller at reasonable intervals or if there are indications of non-compliance.
The Processor is required to provide supervisory authorities, which under applicable legislation have access to the facilities of the Controller and the Processor, or representatives acting on behalf of such supervisory authorities, with access to the Processor's physical facilities upon presentation of appropriate identification.
12. Other duties and rights
Other duties and rights between the Parties are stipulated in the Agreement (cf. definition in section 1, in the Provider's terms of use).
The same contact persons under the Agreement will be the contact persons under this Data Processing Agreement.
Both Parties acknowledge that this Data Processing Agreement shall not expand the Controller's options for sanctions, including liability for damages for the Processor, beyond what follows from the Agreement (cf. section 13.3 in the Provider's terms of use), or the GDPR. The Parties acknowledge that some of the obligations and areas of responsibility under the GDPR differ from the options for sanctions in the Provider's terms of use.
Upon transfer of the Agreement to other parties (cf. section 5 in the Provider's terms of use), the Data Processing Agreement will be deemed transferred at the same time.
13. Dispute and jurisdiction
This Data Processing Agreement shall be interpreted in its entirety in accordance with Norwegian law, with the exception of mandatory provisions in applicable data protection legislation.
Any dispute regarding the Data Processing Agreement, or dispute arising as a result of this Data Processing Agreement, shall in the first instance be resolved by the Parties through negotiations.
If a dispute cannot be resolved through negotiations, the dispute shall be subject to Oslo District Court, unless another mandatory jurisdiction applies under applicable data protection legislation.
Appendix A. Information about the processing
A.2. The Data Processor's processing of Personal Data on behalf of the Data Controller shall mainly concern (the nature of the processing):
The nature of the processing may vary. The nature of the processing will include, but is not limited to, the collection of Personal Data, structuring of Personal Data, storage of Personal Data, adaptation or modification of Personal Data, transfer of Personal Data, analysis of personal data, or combinations thereof.
Other processing activities may be performed by the Data Processor for the purpose of fulfilling the Data Processor's obligations under the Agreement (cf. definition in section 1 of the Supplier's Terms of Use).
A.3. The processing includes the following types of Personal Data regarding data subjects:
Contact information such as name, email addresses, phone numbers, and physical addresses.
End users' employment details / information (and related information thereto) such as date of birth, social security number / national identification number, nationality, gender, job title, department, start date, bank account details for salary payments, base salary, overtime hours and rates, bonus or incentive information, deductions and contributions (taxes, insurance premiums, pension schemes), leave requests and approvals, attendance records (working hours, absences, delays).
System and usage data such as IP address, device information, logs.
Document metadata such as document titles, author information, date and time of document creation or modification, keywords or tags associated with documents.
Financial information to the extent necessary to perform compliance processes such as closing of accounts, tax reporting, and auditing.
In the event that it becomes necessary to process more Personal Data than those listed above, such processing will take place in accordance with instructions from the Data Controller, and/or because such processing is necessary to fulfill the Data Processor's obligations under the Agreement (cf. definition in clause 1 of the Supplier's Terms of Use).
A.4. Processing includes the following categories of data subjects:
The Controller's (Customer's) employees
The Controller's (Customer's) end users
All other persons / individuals / users who interact with the cloud-based accounting system Catacloud, under the instruction and authorization of the Controller, to upload, access, and process documents and data. This includes, for example, but is not limited to, Resellers who sell access to the system and the Catacloud solution for their own account and act as an independent business operator towards both the Provider and the Reseller's end customers.
In the event that it becomes necessary to process Personal Data regarding more categories of data subjects than those listed above, such processing will take place in accordance with instructions from the Controller, and/or because such processing is necessary to fulfill the Processor's obligations under the Agreement (cf. definition in section 1 of the Provider's terms of use).
A.5. The Processor's processing of Personal Data on behalf of the Controller shall commence when this Agreement enters into force. The processing has the following duration:
For the entire duration/period of the Agreement (cf. section 3 of the Supplier's terms of use).
Appendix B. Authorized sub-processors
B.1. Approved subprocessors.
At the time of entering into the Agreement (cf. definition in section 1 of the Provider's terms of use) and this Data Processing Agreement, the Controller has approved the use of the following Sub-processors:
Catacloud
Rolfsbuktveien 2, 1364 Fornebu, Norway
All processing is carried out within the EU/EEA
Owns the solution/accounting system that is available at app.catacloud.com and is used by the customer.
ZTL
Kristian IVs gate 15, 0164 Oslo, Norway
All processing is carried out within the EU/EEA
Enables users to initiate secure and convenient payment transactions directly from their accounts.
Nets (Mastercard)
Nets Branch Norway, Haavard Martinsens vei 54, 0978 Oslo
All processing is carried out within the EU/EEA
Facilitates secure and efficient payment transactions between merchants, cardholders, and issuing banks.
ECIT Digital
Stadionveien 4, 7898 Limingen, Norway
All processing is carried out within the EU/EEA
Manage and organize documents in a digital format, enabling easy storage, retrieval, and tracking.
Intect
Hørkær 12A, 2730 Herlev, Denmark
All processing is carried out within the EU/EEA
Administration of compensation and payroll processes for employees.
Amazon Web Services
One Burlington Plaza, Burlington Road, Dublin 4, D04 RH96, Ireland
All processing is carried out within the EU/EEA
Hosting and storage of personal data.
Intecom
55 2nd Street, 4th Floor, San Francisco, CA 94105, USA
Data is stored with AWS in Northern Virginia, USA
Communication platform for customer service, user management, and interaction between Catacloud and end users.
Cradl.ai, Lucidtech AS
Kongens gate 12, 0153 Oslo, Norway
All processing is carried out within the EU/EEA
Automated document interpretation and data extraction using artificial intelligence, to structure and make accounting and voucher data accessible.
JCloud AS
Inkognitogata 33A, 0256 Oslo, Norway
All processing is carried out within the EU/EEA
Secure storage, backup, and management of data, including personal data, in cloud-based infrastructure.
The Controller has, at the commencement of the Agreement and this Data Processing Agreement, approved the use of the aforementioned Subprocessors for the processing described for that party.
B.2. General authorization of the data controller.
Subject to the limitations explicitly mentioned in this Data Processing Agreement, and subject to applicable limitations under GDPR, the Controller gives a general consent for the Processor to, during the term of the Agreement (cf. Section 3 of the Supplier's Terms of Use), use standard software from Amazon and the other Sub-processors listed in Appendix B, Section B.1, in order to fulfill the Processor's obligations under the Agreement (cf. definition in Section 1 of the Supplier's Terms of Use). Furthermore, the Controller consents to such processing being supported by servers in Third Countries.
The agreed advance notice periods for authorization to add and/or change Sub-processors are at least fourteen (14) days. The Controller has the opportunity to object to such changes within the said deadline. If no objection from the Controller is received at the latest within the deadline mentioned above, the Sub-processor in question shall be deemed accepted by the Controller.